IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« New Okta Authentication Behavior Detected Suspicious Network Activity to the Internet by Previously Unknown Executable »

› ›

Multiple Okta Sessions Detected for a Single User

edit

Multiple Okta Sessions Detected for a Single User

edit

Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user’s session cookie and is using it to access the user’s account from a different location.

Rule type: threshold

Rule indices:

filebeat-*
logs-okta*

Severity: medium

Risk score: 47

Runs every: 60m

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Lateral Movement

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Setup

edit

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*
    and not (okta.actor.id: okta* or okta.actor.display_name: okta*)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
Sub-technique:
- Name: Web Session Cookie
- ID: T1550.004
- Reference URL: https://attack.mitre.org/techniques/T1550/004/

« New Okta Authentication Behavior Detected Suspicious Network Activity to the Internet by Previously Unknown Executable »